网络安全

位置:IT落伍者 >> 网络安全 >> 浏览文章

实例讲解Oracle监听口令及监听器安全
发布日期:2021年11月19日
 
实例讲解Oracle监听口令及监听器安全

很多人都知道Oracle的监听器一直存在着一个安全隐患假如不设置安全措施那么能够访问的用户就可以远程关闭监听器

相关示例

D:\>lsnrctl stop eygleLSNRCTL for bit Windows: Version Production on ::Copyright (c) Oracle  All rights reserved正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=))(CONNECT_DATA=(SERVICE_NAME=eygle)))命令执行成功

大家可以发现此时缺省的监听器的日志还无法记录操作地址

No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=)))NOV :: * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=stop)(ARGUMENTS=)(SERVICE=eygle)(VERSION=)) * stop *

为了更好的保证监听器的安全大家最好为监听设置密码

[oracle@jumper log]$ lsnrctl      LSNRCTL for Linux: Version Production on NOV ::Copyright (c) Oracle Corporation  All rights reservedWelcome to LSNRCTL type help for informationLSNRCTL> set current_listener listenerCurrent Listener is listenerLSNRCTL> change_passwordOld password: New password: Reenter new password: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=)))Password changed for listenerThe command completed successfullyLSNRCTL> set passwordPassword: The command completed successfullyLSNRCTL> save_configConnecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=)))Saved LISTENER configuration parametersListener Parameter File  /opt/oracle/product//network/admin/listeneroraOld Parameter File  /opt/oracle/product//network/admin/listenerbakThe command completed successfully

在我们设置密码后远程操作将会因缺失密码而出现失败

D:\>lsnrctl stop eygleLSNRCTL for bit Windows: Version Production on ::Copyright (c) Oracle  All rights reserved正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=))(CONNECT_DATA=(SERVICE_NAME=eygle)))TNS: 监听程序尚未识别口令

注意此时在服务器端或客户端都需要我们通过密码来起停监听器

LSNRCTL> set passwordPassword: The command completed successfullyLSNRCTL> stopConnecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=)))The command completed successfullyLSNRCTL> startStarting /opt/oracle/product//bin/tnslsnr: please waitTNSLSNR for Linux: Version ProductionSystem parameter file is /opt/oracle/product//network/admin/listeneroraLog messages written to /opt/oracle/product//network/log/listenerlogTrace information written to /opt/oracle/product//network/trace/listenertrcListening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=)))Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=)))STATUS of the LISTENERAlias                    LISTENERVersion                  TNSLSNR for Linux: Version ProductionStart Date                NOV ::Uptime                     days hr min secTrace Level              supportSecurity                  ONSNMP                      OFFListener Parameter File  /opt/oracle/product//network/admin/listeneroraListener Log File        /opt/oracle/product//network/log/listenerlogListener Trace File      /opt/oracle/product//network/trace/listenertrcListening Endpoints Summary  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=)))Services SummaryService eygle has instance(s)  Instance eygle status UNKNOWN has handler(s) for this serviceService julia has instance(s)  Instance eygle status UNKNOWN has handler(s) for this serviceThe command completed successfully

另外ADMIN_RESTRICTIONS参数也是一个重要的安全选项大家可以在 listenerora 文件中设置 ADMIN_RESTRICTIONS_

为 ON此后所有在运行时对监听器的修改都将会被阻止所有对监听器的修改都必须通过手工修改listenerora文件才能顺利完成

               

上一篇:Oracle监听口令及监听器安全

下一篇:加密存储过程使在schema下看不到源码